Je veux savoir à propos de…

2308

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
The Boards rule applies to statechartered banks that are members of the Federal Reserve System, bank holding companies, savings and loan holding companies, U.S. operations of foreign banking organizations, Edge and agreement corporations collectively, Board-regulated entities. As described in the Impact Analysis section, requirements under the proposed rule would apply to all Boardregulated entities. Under regulations issued by the Small Business Administration, a small entity includes a depository institution, bank holding company, or savings and loan holding company with total assets of $600
million or less and trust companies with total receipts of $41.5 million or less.29
According to Call Reports and other Board reports, there were approximately 472 state member banks, 2,925 bank holding companies, 132 savings and loan holding companies, and 16 Edge and agreement corporations that are small entities.30 In addition, the proposed rule affects all bank service providers that provide services subject to the BSCA.31 The Board is unable to estimate the number of bank service providers that are small due to the varying types of banking organizations that may enter into outsourcing arrangements with bank service providers.
The proposed rule would require all banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred. The agencies estimate that, upon occurrence of a notification incident, an affected banking organization may incur compliance costs of up to three hours of staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organizations primary federal regulator.
As described in the Impact Analysis section above, this requirement is estimated to affect a relatively small number of Board-regulated entities. The agencies believe that any compliance costs associated with the notice requirement would be de minimis, because the communications that led to the determination of the notification
incident would have occurred regardless of the proposed rule.
The proposed rule also would require a bank service provider, as defined herein and in accordance with the BSCA, to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair the provision of services subject to the BSCA for four or more hours. As described in the Impact Analysis section above, the agencies believe that any compliance costs associated with the implementation of this requirement would be de minimis for each affected bank service provider. There are no other recordkeeping, reporting or compliance requirements associated with the proposed rule.
The Board has not identified any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed revisions, and the Board is not aware of any significant alternatives to the final rule that would reduce the economic impact on Boardregulated small entities. For the reasons stated above, the Board believes that this proposed rule will not have a significant economic impact on a substantial number of small entities.
The Board welcomes comment on all aspects of its analysis. In particular, the Board requests that commenters describe the nature of any impact on small entities and provide empirical data to illustrate and support the extent of the impact.
FDIC: The Regulatory Flexibility Act RFA generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of a proposed rule on small entities.32
However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.
The Small Business Administration SBA has defined small entities to include banking organizations with total assets of less than or equal to $600
million.33 Generally, the FDIC considers
khammond on DSKJM1Z7X2PROD with PROPOSALS

32 5

29 See
13 CFR 121.201; 84 FR 34261 July 18,
2019.
30 State member bank data is derived from March 31, 2020 Call Reports. Data for bank holding companies and savings and loan holding companies are derived from the June 30, 2020, FR Y9C and FR Y9SP. Data for Edge and agreement corporations are derived from the December 31, 2019 and March 31, 2020, FR2086b.
31 Discussed in detail in the Impact Analysis section.

VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

U.S.C. 601 et seq.
SBA defines a small banking organization as having $600 million or less in assets, where an organizations assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year. See 13 CFR
121.201 as amended by 84 FR 34261, effective August 19, 2019. In its determination, the SBA
counts the receipts, employees, or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates. See 13 CFR
121.103. Following these regulations, the FDIC uses 33 The
PO 00000

Frm 00010

Fmt 4702

Sfmt 4702

a significant effect to be a quantified effect in excess of 5 percent of total annual salaries and benefits per institution, or 2.5 percent of total noninterest expenses. The FDIC believes that effects in excess of these thresholds typically represent significant effects for FDIC-supervised institutions. For the reasons described below, the FDIC
certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities.
As described in the Impact Analysis section, the proposed rule is expected to affect all institutions supervised by the FDIC. According to recent Call Reports, the FDIC supervises 3,270 insured depository institutions FDICsupervised IDIs.34 Of these, approximately 2,492 FDIC-supervised IDIs would be considered small entities for the purposes of RFA.35 These small entities hold approximately $540 billion in assets, accounting for 14 percent of total assets held by FDIC-supervised institutions. In addition, the rule affects all bank service providers that provide services subject to the BSCA.36 The FDIC is unable to estimate the number of affected bank service providers that are small. For purposes of this certification, the FDIC assumes, as an upper limit, that all affected bank service providers are small.
The proposed rule would require a banking organization to notify its primary federal regulator as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred. As described in the Impact Analysis section above, this requirement is estimated to affect a relatively small number of FDICsupervised institutions and impose a compliance cost of up to three hours per incident. The agencies believe that the regulatory burden of such a requirement would be de minimis in nature, since the internal communications that led to the determination of the notification incident would have occurred regardless of the proposed rule.37
In addition, the proposed rule would require a bank service provider, as defined herein and in accordance with the BSCA, to notify at least two individuals at affected banking a banking organizations affiliated and acquired assets, averaged over the preceding four quarters, to determine whether the banking organization is small for the purposes of RFA.
34 FDIC Call Reports, June 30, 2020.
35 Id.
36 Discussed in detail in the Impact Analysis section.
37 Even at an elevated labor compensation rate of $200 per hour, the proposed rule would impose a cost burden of less than $600 per incident.

E:FRFM12JAP1.SGM

12JAP1